Google’s opaque practices to restrict fingerprinting create confusion among its ad tech partners

google reaper

Google’s stance on fingerprinting is as clear as mud, say ad tech execs.

Fingerprinting is a method that pieces together information to decipher someone’s identity, and Google prohibits the practice. However, ad tech execs working with the company say they need their own Rosetta Stone to decode exactly what types of tech might be caught by Google’s fingerprinting detection sensors. The lack of clarity on what techniques Google will or won’t allow could affect the financial health of ad tech firms, depending on how Google cracks down on the practice. Not only might other companies they work with employ the maligned method, but the companies themselves may provide tech using probabilistic methods — i.e. piecing together different types of information to identify an individual — that could be construed as fingerprinting.

“We are supportive of initiatives that prevent fingerprinting to protect publisher and user data. However, we think that Google’s statements on fingerprinting are confusing and are holding the industry back from adopting scalable future-proof solutions,” said Mathieu Roche, CEO of identity tech firm ID5, which employs probabilistic techniques to assign and track people’s identity for ad targeting and measurement.

Since at least 2019, Google has focused its justification for restricting fingerprinting around data privacy. “We believe users should have adequate transparency and control in digital advertising. Fingerprinting does not allow for this, which is why it is against our policies,” a company spokesperson told Digiday. “We are continuing to work with the industry on ads standards that preserve user privacy and control while allowing for measurement and fraud prevention.”

However, Google has refrained from disclosing its definition of fingerprinting. The company declined to provide Digiday with details of how it defines fingerprinting internally, nor would it explain how it monitors for use fingerprinting in tech operating on its ad systems. “We look at a number of signals when reviewing compliance with our policies, but we don’t discuss how we detect or enforce them so that bad actors can’t work around our detection or enforcement,” said the spokesperson.

As digital ad players parse Google’s statements about how it will treat use of data and identifiers when it stops accepting third-party cookies in its Chrome browser, more companies want to test ways to identify people for advertising without cookies. That includes tech that could fall under Google’s mysterious definition of fingerprinting. One ad tech exec who spoke on condition of anonymity said, “More and more companies need to rely on fingerprinting to actually have a persistent ID to work with.” The exec added that probabilistic identifiers “are based on fingerprinting tech but they’re not calling it fingerprinting.”

There is interest in fingerprinting tech to identify a browser and enable persistent data storage in the absence of cookies. “The ad tech industry needs to come up with something that is able to derive an identifier for a browser that is able to do retargeting,” said Bill Budington, a senior staff technologist with privacy advocacy group Electronic Frontier Foundation who has tracked use of fingerprinting over the years. 

Already, companies are trying surreptitious fingerprinting methods to circumvent Apple’s crackdown on app tracking in its mobile operating system.

Relying on ‘what we believe Google is laying out as acceptable’

Companies like Flashtalking have built identity tech they believe satisfies Google’s fingerprinting rules, though it might seem more like reading tea leaves. The firm, which is certified to serve third-party ads on Google-owned YouTube, uses more than 30 data signals — things such as browser version, operating system, plugins that have been installed, time zone or other tidbits — to create a persistent identifier to use to target ads to an individual and measure how that person responds to those ads, for instance, whether they visit the advertiser’s site.

As far as Flashtalking is concerned, Google will be just fine with the latest evolution of its technology, which connects disparate identifiers to track user identity across the web, because the company provides notice of the practice and allows people to opt out from it via a tiny icon featured in the ads it serves. “We are taking our direction from what Google has published on its blog, and carefully choosing how we operate to stay within what we believe Google is laying out as acceptable,” said Flashtalking CEO Joe Nardone.

Nardone is referring to a January 2021 post from Chetna Bindra, Google’s group product manager, user trust and privacy. The post addresses Google’s “anti-fingerprinting” goal, stating the company is developing ways to protect people from “opaque or hidden techniques that share data about individual users” including tech that uses “a device’s IP address to try and identify someone without their knowledge or ability to opt out.” Flashtalking’s own privacy policy states that the firm might identify people “through the IP address from which you interact with the services and the user agent string broadcast by your browser or device,” but the company believes Google will allow use of IP or other device characteristic data for identification so long as it lets people opt out. 

“Our take is: let’s be as literal as possible and give [people] that notification and opt out on every single impression,” Nardone said.

But Google’s statements on that point are as literal as a Jackson Pollock mural. Similar confusion has emerged as ad tech firms have attempted to interpret Google’s stance on identifiers that employ emails or other personal data to track people.

Google’s IAB riddle, wrapped in a mystery, inside an enigma

Even when Google does get in-the-weeds on its fingerprinting stance, it has some people scratching their heads. For instance, the company’s guidance for ad tech vendors states it will work with companies that are registered to employ methods defined in the Interactive Advertising Bureau Europe’s transparency and consent framework (TCF v2.0) — specifically Feature 3 and Special Feature 2 — both of which the IAB itself says could be considered fingerprinting. According to IAB documentation, Feature 3 creates an identifier or re-identifies a device using data collected automatically from a device such as IP address, while Special Feature 2 uses active scanning of device characteristics to create identifiers or re-identify a device. IAB guidelines require tech vendors to obtain opt-in consent from people in order to use Special Feature 2.

“[Fingerprinting] is usually defined as a set of information elements that identifies a device or application instance, so both processing operations under Feature 3 and Special Feature 2 could be considered fingerprinting,” said Helen Mussard, CMO of IAB Europe. While she said IAB Europe has no guidance advising against fingerprinting, it does require that vendors employing those features comply with the European Union’s ePrivacy directive

Related
hybrid working model
Member Exclusive
Media Briefing: How media companies’ DE&I efforts, office return statuses are affecting hiring

But here’s where things get confusing for some people. In its guidelines for vendors, Google says it will work with firms that use both features, but adds, “However, we remind you that our policies prohibit fingerprinting for identification (e.g., Requirements for Third Party Ad Serving), and we require that you adhere to our policies, which can be more restrictive than the TCF v2.0 in some cases, whenever you work with us.” Translation: We’ll work with you if you do fingerprinting, but you can’t do fingerprinting when you work with us.

The ad tech exec who spoke on condition of anonymity said they have asked Google whether the firm “has an exception here” or if Google can provide more information about its policies on fingerprinting, but has come up empty-handed. Another ad tech exec speaking anonymously called Google’s phrasing around TCF in relation to fingerprinting, “torturous.”

When asked about the perceived discrepancy, the Google spokesperson told Digiday, “We recognize that some vendors take a different perspective toward fingerprinting than we do and may use fingerprinting when working with other partners. However, we require that vendors comply with our policies when working with us via our products and platforms, regardless of how they register on the IAB TCF. We have longstanding policies against fingerprinting for identification of users and continue to prohibit it. This is also reflected in our TCF integration guidance and we require vendors to comply with this when interoperating with our ads products.” 

Amid all the perplexities, some ad tech executives have teased out some clarity. According to Ian Trider, vp of real time bidding platform operations at ad tech firm Centro, Google is not being confusing; instead the company is recognizing even it has limits on its power.

“The rules specifically relate to any scenario where Google’s systems are involved. This does not necessarily mean that [Google] is tacitly accepting the practice elsewhere — only that there are limits to its control. Its position about what should or should not happen is otherwise clear — no fingerprinting,” Trider said. “This makes sense to me, because it may be an overreach for Google to order companies to refrain from engaging on an activity when it has nothing to do with Google’s platforms or inventory.”

But when there is confusion, some firms are reluctant to make it publicly known to Google that they are worried their partners might be engaged in fingerprinting on their watch because Google could penalize the firms as well as their partners. Said the first unnamed ad tech exec, “Since we are depending on the ability for our clients to push tags from us to Google’s different platforms, and then for Google to serve files hosted by us and from our domains, if we were removed from that [approved vendor] list it would heavily affect us.”

https://digiday.com/?p=416313
Digiday Top Stories